Designated Record Set: What It Includes, What It Does Not, and Why It Matters
If you have ever told a patient “that’s not part of the medical record,” or you have been told by a vendor “we don’t provide that,” you have already run into the real problem: “medical record” is not the term that drives HIPAA access rights. The HIPAA Privacy Rule uses a different boundary: the designated record set (DRS). That boundary is broader than most people assume, it can span multiple systems and vendors, and it is the yardstick OCR uses when evaluating whether a practice is providing complete access.
The DRS concept exists because HIPAA is trying to protect a practical right, not a filing convention. Patients are entitled to see and receive copies of their protected health information (PHI) that is used to make decisions about them, even if that PHI lives in billing systems, portals, archived storage, or a business associate’s platform. The DRS is also used for other individual rights, such as the right to request amendments. So this is not just a records department issue. It is a governance and system design issue: if your practice cannot define its DRS and reliably retrieve the PHI within it, you cannot reliably meet the rule.
What follows is a precise, operations-focused explanation of how to identify your DRS, what typically belongs in it for small practices, what typically does not, and how to handle mixed-source records (EHR plus portal plus billing plus external results) without disclosing more than necessary.
Informational note: This report is for informational purposes only and does not constitute legal advice.
The governing definition: what HIPAA means by “designated record set”
HIPAA defines “designated record set” at 45 C.F.R. § 164.501. In plain language, a DRS is a group of records maintained by or for a covered entity that includes:
medical records and billing records about individuals (for providers),
enrollment, payment, claims adjudication, and case or medical management record systems (for health plans), and
other records used, in whole or in part, by or for the covered entity to make decisions about individuals.
[1][2]
That third category is the one that quietly expands scope for real clinics. It is not limited to the “chart.” If a record is used to make decisions about an individual, it can be in the DRS even if it does not look like “medical documentation.” OCR’s access guidance makes this explicit and adds an important nuance: “other records used…to make decisions” includes records used to make decisions about any individuals, even if the particular record type has not been used to make a decision about the particular individual requesting access. In other words, if the record type is part of decision-making in your practice’s operations, it is risky to assume it falls outside the DRS just because it was not decisive in one patient’s case. [2]
The DRS definition matters because the right of access is tied to it. Under 45 C.F.R. § 164.524, an individual has a right to inspect and obtain a copy of PHI about them in a designated record set for as long as the PHI is maintained in the designated record set. The rule also requires covered entities to document the designated record sets that are subject to access and the titles of the persons or offices responsible for receiving and processing access requests. That documentation requirement is often overlooked, but it reflects how the rule expects you to behave: you should be able to identify your DRS deliberately, not by improvising when someone asks. [3]
“Maintained by or for” means your DRS follows your data into vendors and archives
Small practices often miss DRS content not because they are trying to restrict access, but because their PHI is distributed. A typical practice has at least four “record” surfaces: the EHR, a billing or clearinghouse workflow, a portal or messaging tool, and an ecosystem of third-party results (labs, imaging, consults) that may be imported, linked, or attached. Add outsourced IT support, managed hosting, or scanning services and you can have PHI stored and processed in places that front-line staff never see.
HIPAA addresses that reality directly. OCR’s right of access guidance states that individuals have the right to access PHI for as long as it is maintained by a covered entity or by a business associate on behalf of a covered entity, regardless of whether it is maintained onsite, remotely, or archived, and regardless of where the PHI originated (for example, another provider or the patient). This is one of the core reasons the DRS concept exists: it prevents organizations from shrinking access rights by spreading information across platforms. [2]
OCR also clarifies that connecting records to an exchange network does not change DRS status. The FAQ on designated record sets explains that if information meets the DRS definition, it remains part of the DRS even if it is linked to a network for health information exchange purposes. A practice cannot treat “it’s in the network” as a reason it is no longer in scope. The determinant is whether it is part of the DRS, not where it is routed. [4]
From a practical standpoint, this means you should assume your DRS crosses system boundaries unless you have a documented reason it does not. If your billing vendor maintains billing records “for” you, those records can be DRS content. If your portal stores message threads or attachments that are used in care decisions, that content can be DRS content. If your EHR vendor hosts and archives older records, those archived records remain in scope for access as long as they are maintained. [2][3]
Why the designated record set matters in day-to-day clinic operations
The DRS is not academic. It is the boundary for several rights that patients actually use, and it is a common failure point in complaints.
First, the right of access is enforceable and time-bound. If a patient requests their “records” and you treat that as “print the chart,” you can easily miss billing records, portal communications, intake forms, scanned outside records, or other decision-relevant documents that are part of the DRS. OCR’s access guidance explicitly emphasizes breadth, including information contributed by other providers and information provided by the patient when it is maintained in the medical record or other DRS. This is why “we didn’t create it” is usually not a winning argument when you maintain it and use it. [2]
Second, the right to request amendment applies to PHI about the individual in a designated record set for as long as the PHI is maintained in the DRS. If a practice defines its DRS too narrowly, it can mishandle amendment requests by treating certain systems as outside scope. That tends to create repeat friction with patients because they experience it as “you won’t correct your records,” even when the real issue is “you don’t know where your records live.” [5]
Third, the DRS distinction is a safety mechanism for practices as well. HIPAA does not give individuals a right of access to all PHI a practice might possess in any context. If a set of records is not part of the DRS because it is not used to make decisions about individuals, it may be out of scope for access. This becomes important when practices hold peer review, quality improvement, and operational evaluation records that may include PHI as source material but are not used to make individual-level decisions. OCR’s access guidance gives concrete examples of records that may include PHI but might not be in the DRS, such as peer review files, practitioner performance evaluations, and certain health plan quality control records used for customer service improvement or formulary development. That guidance gives clinics permission to be precise, but only if they can justify the precision. [6]
Designated record set versus “medical record” versus “legal health record”
Most of the confusion around DRS comes from two common assumptions.
The first is that “medical record” is a single, obvious thing. In reality, organizations use different internal constructs: “chart,” “EHR record,” “billing file,” “legal record,” and so on. HIPAA does not tell you that your “legal health record” is the DRS. In many organizations, the “legal health record” is a subset of the DRS, defined by organizational policy and often influenced by state law and litigation practices. Industry guidance from AHIMA has long emphasized the distinction: the DRS is the HIPAA-defined set used for access and amendment rights, while the legal health record is an organizational business record concept used for legal proceedings and releases, and it may not include all DRS elements. If a practice equates “legal record” with “DRS,” it can underproduce in response to an access request. [7][8]
The second assumption is that the DRS is always identical to “everything in the EHR.” That is also not reliable. Some EHR content is not used to make decisions about individuals (for example, internal system metadata or certain provider evaluation artifacts), while other DRS content may live outside the EHR (for example, billing vendor systems, portal messaging platforms, or external document management). The correct model is that the DRS is a functional set defined by use and decision-making, not by the name of the system that stores it.
A defensible practice approach is to treat the DRS as a mapped boundary that sits above systems. Systems are storage; the DRS is the set of record categories that your practice maintains and uses to make individual decisions, regardless of where those categories are stored.
What typically belongs in a provider’s designated record set
For a small practice functioning as a covered health care provider, the DRS almost always includes, at minimum, the medical records and billing records about the individual. HIPAA does not narrowly define “medical record” in the way many vendors do, and OCR’s access guidance reinforces that the individual generally has a right to access all information about them in the medical record, including information they provided and information contributed by other providers or covered entities, as long as you maintain it. That is why lab results, imaging reports, consult notes, and outside records that you import or scan into your system are commonly in scope once you maintain them as part of the record you use for care. [2]
In concrete operational terms, medical-record DRS content usually includes documentation that supports diagnosis and treatment decisions: histories, problem lists, allergies, medication lists, immunizations, clinical notes, orders, results, care plans, referrals, and discharge or follow-up instructions. It also commonly includes patient-submitted data when the practice stores it and uses it in decision-making, such as intake questionnaires, symptom checklists, home readings submitted through a portal, and patient-provided histories that become part of the chart. If the information affects how you treat, schedule, or manage the patient, it is difficult to justify excluding it from the DRS.
Billing-record DRS content is often missed because it sits outside the EHR workflow. Billing records include items like claims information, charge details, coding, payment histories, account statements, and documentation used to make determinations about what the patient owes, what was submitted, what was denied, and what will be appealed. OCR’s FAQ describing what personal health information individuals have a right to access explicitly includes billing records and payment and claims records within designated record sets. Practices that only produce clinical notes in response to a “records request” are often producing only a portion of the DRS. [9]
The “other records used to make decisions” category is the broadest and most context-specific. For small practices, it can include records that drive administrative decisions about individuals, such as prior authorization documentation, medical necessity determinations that affect the individual’s care pathway, benefit eligibility determinations when maintained by or for the practice as part of decisioning, and case management notes when used to make decisions about the individual’s care coordination. The key is not whether the document feels clinical; the key is whether it is used in whole or in part to make decisions about the individual and is maintained by or for the practice. [1][2]
What typically does not belong in a designated record set
HIPAA does not create a right to access every instance of PHI that might appear anywhere in your organization. The DRS concept is how HIPAA draws that boundary, and OCR has given examples of categories that may contain PHI but may not be part of the DRS when they are not used to make decisions about individuals.
OCR’s right of access guidance lists peer review files and practitioner performance evaluations as examples of records that may include an individual’s PHI but might not be in the DRS and therefore might not be subject to individual access. For health plans, OCR gives analogous examples like quality control records used to improve customer service or formulary development records. The unifying theme is that these records are used for internal improvement or organizational decisions rather than for decisions about the individual. For a provider practice, similar logic often applies to quality improvement work product, incident reviews, compliance investigations, and business planning documents when they are not used to make decisions about the individual patient. None of this is automatic. The practice still needs a documented rationale that ties the exclusion to the DRS definition, meaning the record is not part of medical or billing records and is not used to make decisions about individuals. [6]
There is also an important category that is often confused with “DRS exclusion” but is technically an “access exception.” Under 45 C.F.R. § 164.524, even if PHI is in a designated record set, two types of information are expressly excepted from the individual’s right of access: psychotherapy notes and information compiled in reasonable anticipation of, or for use in, a civil, criminal, or administrative action or proceeding. This is why “DRS” and “right of access” are related but not identical. A practice still must be able to identify what is in the DRS, but the practice must also be able to withhold these excepted categories while providing access to the rest of the requested information. The regulation explicitly requires that, to the extent possible, the practice must give access to other requested PHI after excluding the information as to which it has a ground to deny access. [3]
Psychotherapy notes are defined narrowly in the HIPAA definitions and are not simply “therapy notes.” They are notes recorded by a mental health professional documenting or analyzing the contents of counseling sessions that are kept separate from the rest of the medical record. The definition also clarifies what psychotherapy notes do not include, such as medication prescription and monitoring, counseling session start and stop times, results of clinical tests, and summaries of diagnosis, treatment plan, symptoms, prognosis, and progress. This distinction matters because many practices mistakenly treat broad behavioral health documentation as “psychotherapy notes” and withhold too much. HIPAA expects precision: psychotherapy notes are a specific subset and the remainder of mental health information in the DRS is generally accessible. [10][3]
Mixed-source records: how to produce a complete response without over-disclosing
The hardest DRS work is not deciding what the DRS is in theory. The hardest work is producing a complete and appropriately scoped record set when the information is distributed across systems and originates from multiple sources.
Start by treating every access request as a scope definition exercise. The patient’s right is to the PHI about them in the DRS, but the request can be narrower than “everything.” The regulation allows you to discuss the scope, format, and other aspects of the request as necessary to facilitate timely provision of access. That is not a loophole to delay. It is a practical allowance to avoid producing material the patient did not ask for and to avoid unnecessary copying of unrelated content. A well-run practice clarifies scope early, documents the clarified request, and then collects from all DRS sources that fall within that scope. [3]
Next, assume that your collection has to include business associates if they maintain parts of the DRS for you. OCR’s access guidance explicitly includes PHI maintained by a business associate on behalf of the covered entity, and the regulation requires you to document the designated record sets subject to access. If you cannot retrieve PHI that is maintained “for” you, the patient experience will be “you did not provide my record.” From OCR’s perspective, “the vendor has it” is not a complete answer if it is maintained on your behalf as part of your DRS. The practice should have internal procedures that define where DRS content is stored and how it is retrieved, and those procedures should include vendor retrieval paths. [2][3]
Then, control over-disclosure by separating three ideas that clinics often mix together.
First, the DRS is not automatically the “entire record dump” in response to every request. It is the universe from which the response is drawn, based on what the patient requested. Second, access requests are about the individual’s own PHI, so the typical “minimum necessary” logic that applies to many other disclosures is not the right tool for limiting patient access. The correct limitation tool is the scope of the request and the specific exceptions and denial grounds permitted by § 164.524, applied precisely and documented. Third, when you exclude information due to an allowed exception, you still have a duty to provide the remainder to the extent possible. That is why practices should design their systems so psychotherapy notes, legal work product, and internal review files are stored in ways that make segregation possible without accidental leakage or accidental withholding. [3][10]
Finally, remember that “mixed-source” does not mean “mixed-permission.” A patient’s access right applies to the patient’s PHI in the DRS. It does not create a reason to include unrelated third-party PHI simply because it was attached to an encounter document or scanned into a batch PDF. When records are scanned in bulk or exported as encounter packets, it is common to accidentally include other patients’ information. This is less a HIPAA theory issue and more a workflow and export quality issue. The safest operational approach is to use controlled exports, verify for misfiled attachments, and maintain a release log that ties what was produced to the request.
Portals, outside results, and “linked” records: the common edge cases
Two edge cases create repeat confusion for small practices.
The first is portal content. Practices often think of portal messaging as “communications,” not “records.” But if portal messages, attachments, and patient-submitted questionnaires are maintained by or for the practice and used to make decisions about the individual, they fit naturally into the DRS logic. That does not mean every transient system notification must be disclosed. It means that if portal content functionally becomes part of the record you use to manage the patient’s care, you should treat it as within scope unless you have a documented reason it is not.
The second is outside results and exchange connectivity. OCR’s access guidance states the right of access applies regardless of where the PHI originated, including information contributed by other providers, as long as it is maintained in the medical record or other DRS. The separate OCR FAQ clarifies that linking a records system to a network for health information exchange does not change the status of information maintained within designated record sets. Together, these points mean that if you maintain an outside lab report, consult note, or imaging report as part of the records you use, you generally cannot deny access by saying “we did not create it” or “it came from the network.” The meaningful question is whether you maintain it as part of the DRS. [2][4]
There is one more operational detail that is easy to miss: § 164.524(c)(1) states that if the same PHI that is the subject of the request is maintained in more than one DRS or more than one location, you need only produce it once. This matters when practices store duplicates across an EHR, a portal, and an archive. You do not need to overwhelm the patient with redundant versions, but you do need to ensure completeness, meaning you have captured the content that exists across systems, not just the version that happens to be easiest to print. [3]
A practical way for small practices to define and maintain their DRS
HIPAA’s access rule does not just impose response deadlines. It implicitly expects you to know your designated record sets. The fastest way to reach a defensible posture is to do a one-time DRS mapping exercise, then treat it as a living inventory.
Start with system identification. List every system that stores patient-related information for your practice: the EHR, billing, clearinghouse portals, patient portal, document management, scanning repositories, secure email or messaging tools used for clinical communications, and any specialty systems that hold results or images. Identify which are maintained directly by you and which are maintained by business associates “for” you.
Then map record categories to those systems using the DRS definition. Medical records and billing records are the baseline for provider practices. Next, identify “other records used to make decisions” in your workflow, which often includes prior authorization artifacts, referral management records, case management notes, and similar decision-driving documents. At the same time, identify record categories that are generated from PHI but used for internal improvement or business decisions rather than decisions about individuals, such as peer review and quality improvement work product, and document why those are outside the DRS based on use, not based on convenience. OCR’s guidance gives you language and examples that support that distinction when it is real. [6][2]
Finally, build retrieval procedures. The access rule requires you to document the designated record sets subject to access and the titles of offices responsible for receiving and processing requests. In practice, your procedures should also state how to retrieve each DRS category from each system and what to do when a business associate holds the relevant records. If you can retrieve the record set quickly and consistently, you dramatically reduce both patient friction and compliance risk. [3]
Common failures and how to prevent them
The most common failure is treating “designated record set” as synonymous with “the chart printout.” OCR’s access guidance and FAQs make clear that the DRS includes billing records and other records used to make decisions, and that access rights extend regardless of where the PHI originated or where it is stored. Practices that omit billing records or omit portal content often do so unintentionally, but from the patient’s perspective it is still an incomplete record. [2][9]
Another common failure is over-withholding by labeling broad mental health documentation as “psychotherapy notes.” The HIPAA definition is narrower than many assume, and § 164.524 excludes psychotherapy notes from access while still requiring you to provide other requested PHI to the extent possible. Over-withholding invites complaints because patients can see that something is missing and the denial rationale often does not map to the regulation. [10][3]
A third failure is accidental over-disclosure due to bulk scanning or exports. The DRS concept is about what PHI is subject to access, not about sending every attached document without verification. Practices that build controlled export procedures and verify for misfiled documents reduce breach risk while still complying with access obligations.
The last failure is vendor dependency without vendor retrieval paths. OCR is explicit that access rights extend to PHI maintained by business associates on behalf of the covered entity. If you have no operational way to retrieve PHI maintained “for” you, you have built a predictable compliance failure into your architecture. [2]
Conclusion
The designated record set is HIPAA’s practical answer to a modern reality: patient information is distributed, multi-sourced, and used for decisions in more places than a paper chart ever captured. If your practice can define its DRS precisely, separate what is in scope from what is not, and retrieve DRS content across systems without over-disclosing, you will handle access requests faster, reduce complaint risk, and run a cleaner operation overall. The practices that struggle are usually not “noncompliant by attitude.” They are noncompliant by architecture: they cannot explain where their records live, so they cannot reliably produce them.
Sources
[1] 45 C.F.R. § 164.501, definition of “designated record set.”
[2] HHS OCR, Individuals’ Right under HIPAA to Access their Health Information (includes DRS categories, “maintained by or for,” origin of PHI, and “used to make decisions” explanation).
[3] 45 C.F.R. § 164.524, Access of individuals to protected health information (right of access tied to DRS, exceptions for psychotherapy notes and litigation-related information, and documentation of designated record sets).
[4] HHS OCR FAQ 550, Designated record set status does not change due to linkage to a network.
[5] 45 C.F.R. § 164.526, Amendment of protected health information (right to amend PHI in a designated record set).
[6] HHS OCR Right of Access Guidance (examples of records that may include PHI but might not be in the DRS, including peer review and performance evaluation records).
[7] AHIMA, Fundamentals of the Legal Health Record and Designated Record Set (industry guidance distinguishing DRS and legal health record concepts).
[8] AHIMA, Defining the Designated Record Set (industry guidance on DRS definition and role in access and amendment standards).
[9] HHS OCR FAQ 2042, What personal health information do individuals have a right under HIPAA to access (includes billing, payment, claims, and decision-used records).
[10] 45 C.F.R. § 164.501, definition of “psychotherapy notes” (scope and exclusions).